Add SSH deploy script for ia.enso nginx on proxy

**Motivations:**
- Apply proxy configuration from a workstation without manual scp steps.

**Root causes:**
- No automation existed for pushing nginx files to 192.168.1.100.

**Correctifs:**
- N/A.

**Evolutions:**
- deploy-ia-enso-to-proxy.sh with ProxyJump, optional generated Bearer token, retry without duplicate websocket map.

**Pages affectées:**
- deploy/nginx/deploy-ia-enso-to-proxy.sh
- deploy/nginx/README-ia-enso.md
- docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md

deploy/nginx/README-ia-enso.md

@@ -1,5 +1,19 @@
 # ia.enso.4nkweb.com — Nginx on the proxy (192.168.1.100)
 
+## Automated deploy (from a machine with SSH access)
+
+From the `smart_ide` repository root:
+
+```bash
+export IA_ENSO_OLLAMA_BEARER_TOKEN='your-long-secret'   # optional: omit to auto-generate (printed once)
+export DEPLOY_SSH_PROXY_HOST='4nk.myftp.biz'            # optional: empty for direct LAN SSH to proxy
+./deploy/nginx/deploy-ia-enso-to-proxy.sh
+```
+
+Uses `ia_dev/deploy/_lib/ssh.sh` (BatchMode, ProxyJump). Requires passwordless `sudo` for `nginx` on the proxy.
+
+---
+
 Reverse proxy to `192.168.1.164`:
 
 - `https://ia.enso.4nkweb.com/ollama/` → Ollama `11434` (Bearer gate, then `Authorization` cleared upstream).

deploy/nginx/deploy-ia-enso-to-proxy.sh

@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+#
+# Push ia.enso.4nkweb.com nginx config to the LAN proxy (192.168.1.100) over SSH.
+# Requires passwordless sudo for nginx on the proxy host.
+#
+# Environment:
+#   IA_ENSO_OLLAMA_BEARER_TOKEN   Bearer secret for /ollama (if unset, openssl rand -hex 32).
+#   IA_ENSO_SSH_KEY               SSH private key (default: ~/.ssh/id_ed25519).
+#   IA_ENSO_PROXY_USER            SSH user on proxy (default: ncantu).
+#   IA_ENSO_PROXY_HOST            Proxy IP or hostname (default: 192.168.1.100).
+#   DEPLOY_SSH_PROXY_HOST         Jump host (default: 4nk.myftp.biz); empty = direct SSH to proxy.
+#   DEPLOY_SSH_PROXY_USER         Jump user (default: same as IA_ENSO_PROXY_USER).
+#
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SMART_IDE_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+SSH_LIB="${SMART_IDE_ROOT}/ia_dev/deploy/_lib/ssh.sh"
+
+if [[ ! -f "$SSH_LIB" ]]; then
+	echo "Missing ${SSH_LIB} (ia_dev submodule checkout?)" >&2
+	exit 1
+fi
+
+# shellcheck source=/dev/null
+source "$SSH_LIB"
+
+IA_ENSO_SSH_KEY="${IA_ENSO_SSH_KEY:-${HOME}/.ssh/id_ed25519}"
+IA_ENSO_PROXY_USER="${IA_ENSO_PROXY_USER:-ncantu}"
+IA_ENSO_PROXY_HOST="${IA_ENSO_PROXY_HOST:-192.168.1.100}"
+DEPLOY_SSH_PROXY_HOST="${DEPLOY_SSH_PROXY_HOST:-4nk.myftp.biz}"
+DEPLOY_SSH_PROXY_USER="${DEPLOY_SSH_PROXY_USER:-$IA_ENSO_PROXY_USER}"
+export DEPLOY_SSH_PROXY_HOST
+export DEPLOY_SSH_PROXY_USER
+
+TOKEN="${IA_ENSO_OLLAMA_BEARER_TOKEN:-}"
+if [[ -z "$TOKEN" ]]; then
+	TOKEN="$(openssl rand -hex 32)"
+	echo "IA_ENSO_OLLAMA_BEARER_TOKEN was unset; generated token (store for Cursor API key):"
+	echo "$TOKEN"
+	echo "---"
+fi
+
+if [[ "$TOKEN" == *'"'* ]] || [[ "$TOKEN" == *'\'* ]]; then
+	echo "Token must not contain double quotes or backslashes." >&2
+	exit 1
+fi
+
+write_maps_file() {
+	local path="$1"
+	local with_websocket="$2"
+	{
+		if [[ "$with_websocket" == "1" ]]; then
+			cat <<'MAPEOF'
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+MAPEOF
+		fi
+		cat <<MAPEOF
+map \$http_authorization \$ia_enso_ollama_authorized {
+    default 0;
+    "Bearer ${TOKEN}" 1;
+}
+MAPEOF
+	} >"$path"
+}
+
+TMP_DIR="$(mktemp -d)"
+cleanup() {
+	rm -rf "$TMP_DIR"
+}
+trap cleanup EXIT
+
+try_install() {
+	local with_ws="$1"
+	write_maps_file "${TMP_DIR}/ia-enso-http-maps.conf" "$with_ws"
+	scp_copy "$IA_ENSO_SSH_KEY" "${TMP_DIR}/ia-enso-http-maps.conf" "$IA_ENSO_PROXY_USER" "$IA_ENSO_PROXY_HOST" "/tmp/ia-enso-http-maps.conf"
+	scp_copy "$IA_ENSO_SSH_KEY" "${SCRIPT_DIR}/sites/ia.enso.4nkweb.com.conf" "$IA_ENSO_PROXY_USER" "$IA_ENSO_PROXY_HOST" "/tmp/ia.enso.4nkweb.com.conf"
+	ssh_run "$IA_ENSO_SSH_KEY" "$IA_ENSO_PROXY_USER" "$IA_ENSO_PROXY_HOST" bash <<'REMOTE'
+set -euo pipefail
+sudo install -d -m 0755 /etc/nginx/conf.d
+sudo install -m 0644 /tmp/ia-enso-http-maps.conf /etc/nginx/conf.d/ia-enso-http-maps.conf
+sudo install -m 0644 /tmp/ia.enso.4nkweb.com.conf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf
+sudo ln -sf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf /etc/nginx/sites-enabled/ia.enso.4nkweb.com.conf
+rm -f /tmp/ia-enso-http-maps.conf /tmp/ia.enso.4nkweb.com.conf
+if ! grep -q 'include /etc/nginx/conf.d/\*\.conf;' /etc/nginx/nginx.conf; then
+  echo "ERROR: /etc/nginx/nginx.conf must include conf.d inside http { }." >&2
+  echo "Add: include /etc/nginx/conf.d/*.conf;" >&2
+  exit 1
+fi
+sudo nginx -t
+sudo systemctl reload nginx
+echo "nginx reload OK"
+REMOTE
+}
+
+if ! try_install 1; then
+	echo "Retrying with Bearer map only (websocket map likely already defined on proxy)..."
+	if ! try_install 0; then
+		echo "Deploy failed (SSH, sudo, nginx -t, or missing include /etc/nginx/conf.d/*.conf)." >&2
+		echo "Re-run from a host with ProxyJump access to the proxy; reuse token with IA_ENSO_OLLAMA_BEARER_TOKEN if needed." >&2
+		exit 1
+	fi
+fi
+
+echo "Done. Cursor: base URL https://ia.enso.4nkweb.com/ollama/v1 and API key = token printed above."

docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md

@@ -17,6 +17,7 @@ Expose Ollama and AnythingLLM on the public proxy hostname with HTTPS, path pref
 - `deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example` — `map` for `$ia_enso_ollama_authorized`.
 - `deploy/nginx/http-maps/websocket-connection.map.conf.example` — `map` for `$connection_upgrade` (AnythingLLM WebSocket).
 - `deploy/nginx/sites/ia.enso.4nkweb.com.conf` — `server` blocks and upstreams.
+- `deploy/nginx/deploy-ia-enso-to-proxy.sh` — push maps + site over SSH, `nginx -t`, reload (Bearer-only retry if websocket `map` already exists).
 - `deploy/nginx/README-ia-enso.md` — installation and verification on the proxy.
 
 ## Deployment modalities